Abstract: This paper analyzes the problems caused by the use of private networks and NAT technology in the softswitch system, introduces a method to solve the problem of softswitch private network traversal, and the use of this method may bring further to the softswitch network The impact was discussed.
Keywords: NGN softswitch NAT PAT private network traversal
I. Introduction
The Next GeneraTIon Network (NGN) is a communication network based on packet switching technology. It is very different from the existing circuit-switched network in terms of overall architecture, signaling control, and bearer network. As a technology that realizes the exchange of communication channels and media transmission in the packet network, the softswitch technology will be the core technology of the NGN network. Because the softswitch technology itself is based on the IP packet network, a set of softswitch architecture can be established on the existing basic data network. The benefits are: many existing IP-based protocols can continue to be used, and a large number of network devices and terminal devices can be directly applied to the softswitch network. Although building a softswitch network on the basis of the existing data network has the above-mentioned advantages, there are also many problems, among which private network traversal is a problem that needs to be solved.
2. The problem of private network traversal in the softswitch system
1. The concept of private network and the generation of NAPT technology
With the popularization of the Internet based on TCP / IP, the number and scale of private networks (referred to as private networks) have also increased. The private network is to use a private IP address to connect a relatively independent and closed network composed of various network devices. This type of networking is widely used when building LANs of various sizes. It can be said that in today's network world, the number of network devices using private network IP addresses is much greater than the number of devices with legal Internet network IP addresses. In order to allow these devices to access resources outside the private network, NAT (Network Address Translation) technology came into being. When an internal device on a private network tries to access an external network, NAT technology can convert its private IP address into a legal IP address. While using NAT, dynamic port translation (PAT) technology is generally used to solve the problem of shortage of legal IP addresses. The implementation method of this technology is that for all devices in a private network, one or more legal IP addresses are used as the egress address. Only when the device requests to connect to the external network, a legal IP address and a port are allocated for the request Number, to make an external connection; when the request ends, the port number and IP address are then withdrawn. NAT and PAT are often used simultaneously, called network address port translation (NAPT). The use of NAPT has brought many benefits to the IP network: for example, it eases the problem of IP address tension in the Internet network under the IPv4 framework, and improves the security and manageability of the private network. Because of these advantages, NAPT is widely used in various private network gateway devices. It is a basic function of most network router devices and an important part of the network firewall function. 
2. The problem of NAPT affecting softswitch
(1) NAT problem
Now suppose we have a soft-switching network as shown in Figure 1. In this network, terminal A and terminal B are in a private network, and only have a private network IP address, while terminal C has an independent legal IP address. For the convenience of description, it is assumed that all terminals are SIP terminals, and the communication between the softswitch and the terminals also uses the standard SIP protocol. If terminal A initiates a call request to terminal B, a message packet as shown in Figure 2 will be generated. This message packet will become the message packet shown in Figure 3 after passing through the NAPT of the router (where 1050 is dynamically allocated by NAPT) The port number). 
When terminal B is registering with the softswitch, the registration message in the SIP protocol layer tells the softswitch that it is its private address, and when terminal B does not actively initiate a connection request to the outside, the firewall will not assign it an accessible IP Address and port number, so the softswitch cannot send the INVITE message to terminal B at all, and the call cannot be connected.
(2) PAT problem
Suppose that terminal A initiates a call to terminal C. Since there is no firewall or router on terminal C, softswitch can smoothly forward the INVITE message packet to terminal C. This message carries SDP information and is used for media negotiation between terminals. The main purpose of media negotiation is to select the appropriate codec and establish a connection to the RTP media stream. The content of the SDP information carried in the INVITE message sent by terminal A is shown in FIG. 4 (where 10006 is the port number where terminal A establishes an RTP connection). 
Figure 4 SDP information in the INVITE message
After receiving the SDP information, terminal C will try to establish an RTP connection with 192.168.0.3:10006. Obviously this is an internal address of the private network, so the call cannot be established naturally.
From the above analysis, it can be seen that NAPT affects softswitch communication in two main aspects: on the one hand, devices in the private network all use internal IP addresses. Although the IP layer address can be converted to an external address through NAPT, for the above However, the private IP address in the application layer message is helpless, called the NAT problem. On the other hand, private network devices are only assigned legal IPs and port numbers when they initiate connections to the outside world. Without special treatment, the device is invisible to the external network and cannot accept the call request from the softswitch. This can be called the PAT problem. The problem based on the SIP protocol is the same. When other protocols such as H.323, MGCP, or H.248 are used between the softswitch and the terminal, similar problems also exist.
3. A solution to the problem of private network traversal
1. Various methods to solve the NAPT crossing problem
(1) NAT / ALG method
This method achieves private network traversal by increasing the recognition and processing capabilities of VoIP-related application layer protocols on firewalls or routers. This solution is more intuitive, but the biggest disadvantage is that for users, they must replace or upgrade their routers or firewalls, and as the development and expansion of related protocols, the equipment must also be upgraded.
(2) Method of setting proxy for private network equipment
This method does not need to make any changes to the user equipment, and only a special proxy device is added at the central office operating the softswitch network to realize the traversal of the private network. The author believes that this technology has greater advantages than the previous technology. This kind of Proxy, while performing signaling proxy and conversion, also media stream proxy, we will temporarily call it NAT / FW Proxy.
(3) Other programs
Other solutions that traverse the private network include the MIDCOM solution, the STUN solution, and the TURN solution. These solutions are similar to the NAT / ALG solution. Either the router, firewall, or terminal equipment needs to be upgraded.
2. Use NAT / FW Proxy to solve private network PAT problem
Taking Figure 1 as an example, the NAT / FW Proxy device is added to the softswitch network to form the network structure shown in Figure 5. After adding the NAT / FW Proxy device, all terminal devices behind the private network gateway (router or firewall) must change the registered address from the soft switch device address to the IP address of the NAT / FW Proxy device. The interaction between the NAT / FW Proxy device and the softswitch device can use SIP, MGCP, or H.248 and other protocols, which is related to the type of device it proxies.
On the one hand, after the device sends registration information to NAT / FW Proxy, NAT / FW Proxy will assign a proxy signaling port to the device, and then replace the terminal address (Contact field) in the original registration information with the address of NAT / FW Proxy, And send to the softswitch through this port. In this way, no matter whether the signaling messages sent by the terminal to the softswitch or the signaling messages sent by the softswitch to the terminal will go through the NAT / FW Proxy in order to facilitate the special processing of these signaling. On the other hand, when the terminal device in the private network sends a registration message to the NAT / FW Proxy device, the private network gateway installed on the outer layer of the private network will randomly assign a legal IP address and port number to this connection, forming a " window". After the NAT / FW PROXY device receives the registration message, as long as it can manage to keep this "window" open, and then bind this port number to the proxy port number assigned on the device, it is equivalent to establishing a device to soft switch. The transparent signaling channel solves the PAT problem in NAPT.
The method of maintaining this "window" will vary depending on the terminal. For example, for SIP terminals, you can set a shorter registration validity period, so that the terminal device will continue to send registration messages to the NAT / FW Proxy. For MGCP terminals, you can let NAT / FW Proxy continuously send AUEP messages to them, and then the terminal sends corresponding messages to keep the "window" open. Either way, make sure that the time interval at which the terminal sends messages is less than the opening time limit of the "window".
3. Use NAT / FW Proxy to solve private network NAT problem
Assuming that all terminals are SIP terminals, the standard SIP protocol is also used for communication between the softswitch and the terminals. As shown in the configuration in Figure 5, since terminal A and terminal B are both devices in the private network, when registering with NAT / FW Proxy, a port number for accessing the outside is assigned in the private network device, assuming 123.44.55.11 respectively : 1050 (terminal A) and 123.44.55.22:1060 (terminal B), and at the same time are assigned proxy signaling ports on NAT / FW Proxy, assuming 123.44.55.77:1001 (terminal A) and 123.44.55.77 respectively 1002 (terminal B). A call is now initiated from A to B. The INVITE message passes through the private network gateway and arrives at NAT / FW PROXY. NAT / FW PROXY will proxy this signaling and send it to the softswitch. As shown in Figure 6 and Figure 7: 
After the softswitch receives the INVITE message and processes it accordingly, it is ready to forward it to B. Since B is also registered to the softswitch through the NAT / FW Proxy proxy, the message sent is shown in Figure 8 and is sent by NAT / FW PROXY After receiving and doing proxy conversion, it is sent to the outer router or firewall of B. The conversion result is shown in Figure 9.
By querying the connection list maintained by the firewall, the signaling message can be correctly sent to terminal B. For other signaling messages in the call connection process, the transfer method is similar to INVITE.
4. Use NAT / FW Proxy to realize proxy connection of media stream
Taking terminal A calling terminal C in Figure 5 as an example, when A sends an INVITE message and arrives at NAT / FW Proxy, NAT / FW Proxy will allocate two RTP proxy ports for A, one is the outgoing proxy port, denoted as A1, and the other One is the incoming proxy port, denoted as A2. The NAT / FW Proxy replaces the description of the RTP port in the SDP packet in the original INVITE message with the port information of A2 and sends it to the softswitch. When the softswitch sends back the SDP information of terminal C, the NAT / FW Proxy records the actual RTP port of terminal C, replaces it with the port information of A1, and sends it to terminal A. After the call is established, once terminal A starts to send RTP packets, it will create a temporary RTP "window" on the private network device, as long as the media stream is constantly being sent (the terminal should also send comfortable noise RTP packets when there is no voice) , This "window" is always open. Since the peer RTP port obtained by device A is actually the outgoing proxy port A1 on the NAT / FW Proxy, the RTP packet will be sent to the NAT / FW Proxy, and the NAT / FW Proxy will then send the RTP packet to the real RTP port of the terminal C. Similarly, the RTP port of A obtained by terminal C is actually the proxy port A2 on the NAT / FW Proxy, so the RTP packet will be sent to A2, and then the NAT / FW Proxy will send the RTP packet through the temporary RTP “window†on the private network device Forward to terminal A.
When two devices are in two firewalls and are registered on a NAT / FW Proxy, as shown in Figure 5 when terminal A calls terminal B, NAT / FW Proxy can know that both devices are registered on their own The above, so there is no need to allocate two proxy ports for each terminal, but only use a pair of ports. For example, A1 and B1, where A1 serves as both the outbound port of terminal A and the incoming port of terminal B, and B1 serves as both the outbound port of terminal B and the inbound port of terminal A. If terminal A and terminal B are still under the same private network gateway device, NAT / FW Proxy can not allocate any proxy port for them, but let them establish RTP stream connection directly inside the private network.
5. Consideration of other issues
The above description of the method of using NAT / FW Proxy to achieve private network traversal is based on the terminal using the SIP protocol, but in fact this method is not limited to SIP terminals, when the terminal uses H.248, MGCP and other protocols, As long as there is corresponding NAT / FW Proxy support, private network traversal can also be achieved.
From the architecture point of view, there are many devices that need to perform proxy traversal on the private network. When a NAT / FW Proxy cannot handle it, it is possible to deploy multiple NAT / FW Proxy and register these devices to different NAT / FW Proxy. For example, one NAT / FW Proxy is configured to handle the private network traversal of the SIP terminal, and two NAT / FW Proxy is configured to handle the private network traversal of the MGCP terminal.
4. Extended application in the softswitch system
The architecture using NAT / FW Proxy, in addition to the function of private network traversal, as long as it is slightly expanded, it can also bring some other unexpected gains to the softswitch system.
1. Can protect the soft switch equipment from attack
Under normal configuration, the address of the softswitch device is visible to all users. At this time, if someone maliciously launches certain attacks on the softswitch, such as DoS attacks, it is more difficult to prevent. However, if all terminals are required to register with the NAT / FW Proxy device, and the proxy through the NAT / FW Proxy is in contact with the soft switch, the soft switch address is completely invisible to the outside world, and due to the cost of the NAT / FW Proxy device It is relatively inexpensive and can be configured in multiple numbers. Even if it is attacked, you only need to replace a NAT / FW Proxy on the terminal for registration.
2. Prevent communication fraud
In general, once the softswitch establishes a call for both parties, the addresses, ports, and media capabilities of the terminals of the two parties are completely transparent to the other party. If someone uses some terminals that support point-to-point connections, bypassing the softswitch directly When a connection is initiated to the other party, the softswitch cannot charge and communication fraud will occur. If all the terminals are registered on the NAT / FW Proxy as described in 1, then the terminals can only interact through the proxy port on the NAT / FW Proxy, and only the other party ’s number is transparent between the terminals, which can be very large To a certain extent, avoid fraud.
3. Can make media flow control
Assuming that all terminals are registered on NAT / FW Proxy, the media streams between the terminals must also be transferred through NAT / FW Proxy. If the function of NAT / FW Proxy is enhanced, it is entirely possible to solve it in the softswitch system The problem of media stream unauthorized control, such as billing by flow rate, user bandwidth can be controlled to prevent unauthorized media stream connection (such as video media stream), QoS information of media stream can be obtained, and even the national security department can be sensitive Call monitoring requirements.
However, to realize the above benefits, there is also a price to pay, that is, the media flow of the entire softswitch network must be aggregated to the location of each NAT / FW Proxy, which greatly increases the burden on this part of the network, and at a certain The above also weakens many flexibility brought by the softswitch due to the separation of control and bearer.
V. Conclusion
This article introduces a method to solve the private network traversal problem in the softswitch network by setting up a special proxy server. Now this method has been applied. It is believed that as the scale of softswitch networks continues to expand, this method of private network traversal will be increasingly applied to softswitch networks.
Rj45 Pass Through Connectors,Rj45 Connectors,Rj45 Crimping Tool,Ez Rj45 Connector
Dongguan Fangbei Electronic Co.,Ltd , https://www.connectorfb.com